W32/Small.KJ !tr

Analysis

Specifics
This Trojan binds with TCP ports 40008 and 40010, and awaits instructions from a malicious user. If run, the Trojan copies itself as two files into the System32 folder -
suchostp.exe - 15,000 bytes
suchosts.exe - 11,000 bytes
The Trojan contains "Zaraza" - a multi-proxy program and reverse shell code. "Zaraza" is also known as "tiny proxy" and provides proxy services for the following -
HTTP
HTTPS
FTP
Socks4/Socks5
POP3
UDP mapping
Loading at Windows startup
The Trojan registers itself to load at each Windows startup from its current installed location, commonly the "Startup" folder for Windows -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Configuration Service" = C:\WINNT\System32\suchost.exe
During testing, the Trojan did not create the file "suchost.exe", so it is not likely to load at Windows startup.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option